#This file merges all the required yaml files from (https://gitlab.com/fedora/bootc/base-images/-/tree/main/minimal) into one

#==========================================================postprocess-conf.yaml========================================
# We want content lifecycled with the image
opt-usrlocal: "root"

# https://github.com/CentOS/centos-bootc/issues/167
machineid-compat: true

rpmdb: target
# We never want rpmdb.sqlite-shm as it's unreproducible
rpmdb-normalize: true

ignore-removed-users:
  - root
ignore-removed-groups:
  - root
# By default users and groups are injected to nss-altfiles
# which is immutable. This list moves a selected set
# to /etc/group instead, which is mutable per system
# and allows local users to become part of these groups.
etc-group-members:
  - wheel
  - systemd-journal
  - tss # https://issues.redhat.com/browse/BIFROST-618
  - kvm # https://issues.redhat.com/browse/RHEL-115278
  - adm

#Only use the newer imports, not the one with backwards compatibility
#The files are retrieved when building to stay in sync with upstream
check-passwd:
  type: "file"
  filename: "passwd"
check-groups:
  type: "file"
  filename: "group"

#==========================================================postprocess-conf.yaml========================================

#tmpfiles.yaml
postprocess:
  - |
    #!/bin/bash
    set -xeuo pipefail
    cat >/usr/lib/tmpfiles.d/bootc-base-rpmstate.conf <<'EOF'
    # Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=771713
    d /var/lib/rpm-state 0755 - - -
    EOF
    # Workaround for https://issues.redhat.com/browse/RHEL-106203
    rm -f /usr/lib/tmpfiles.d/home.conf

  - |
    #!/bin/bash
    set -xeuo pipefail
    # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
    /usr/bin/bootupctl backend generate-update-metadata

  # Workaround for https://issues.redhat.com/browse/RHEL-78104
  - |
    #!/bin/bash
    set -xeuo pipefail
    rm -vrf /usr/lib/ostree-boot/loader

  # Set up default root config
  - |
    #!/usr/bin/env bash
    set -xeuo pipefail
    mkdir -p /usr/lib/ostree
    cat > /usr/lib/ostree/prepare-root.conf << EOF
    [composefs]
    enabled = yes
    [sysroot]
    readonly = true
    EOF
  
  #initrams config
  - |
    #!/usr/bin/env bash
    set -xeuo pipefail
    mkdir -p /usr/lib/dracut/dracut.conf.d
    cat > /usr/lib/dracut/dracut.conf.d/20-bootc-base.conf << 'EOF'
    # We want a generic image; hostonly makes no sense as part of a server side build
    hostonly=no
    # Dracut will always fail to set security.selinux xattrs at build time
    # https://github.com/dracut-ng/dracut-ng/issues/1561
    export DRACUT_NO_XATTR=1
    add_dracutmodules+=" kernel-modules dracut-systemd systemd-initrd base ostree "
    EOF
    cat > /usr/lib/dracut/dracut.conf.d/22-bootc-generic.conf << 'EOF'
    # Extra modules that we want by default that are known to exist in the kernel
    add_dracutmodules+=" virtiofs "
    EOF
    cat > /usr/lib/dracut/dracut.conf.d/49-bootc-tpm2-tss.conf << 'EOF'
    # We want this for systemd-cryptsetup tpm2 locking
    add_dracutmodules+=" tpm2-tss "
    EOF
    cat > /usr/lib/dracut/dracut.conf.d/59-altfiles.conf << 'EOF'
    # https://issues.redhat.com/browse/RHEL-49590
    # On image mode systems we use nss-altfiles for passwd and group,
    # this makes sure dracut uses them which also fixes kdump writing to NFS.
    install_items+=" /usr/lib/passwd /usr/lib/group "
    EOF

  - |
    #!/usr/bin/env bash
    set -xeuo pipefail
    mkdir -p /usr/lib/systemd/system/local-fs.target.wants
    if test '!' -f /usr/lib/systemd/system/local-fs.target.wants/tmp.mount; then
      ln -sf ../tmp.mount /usr/lib/systemd/system/local-fs.target.wants
    fi
    sed -i -e 's, /root, /var/roothome,' /usr/lib/tmpfiles.d/provision.conf > /dev/null
    sed -i -e '/^d- \/var\/roothome /d' /usr/lib/tmpfiles.d/provision.conf > /dev/null

  - |
    #!/usr/bin/env bash
    set -xeuo pipefail
    source /usr/lib/os-release
    mkdir -p /usr/lib/kernel/install.conf.d
    echo -e "# kernel-install will not try to run dracut and allow rpm-ostree to\n\
    # take over. Rpm-ostree will use this to know that it is responsible\n\
    # to run dracut and ensure that there is only one kernel in the image\n\
    layout=ostree" | tee /usr/lib/kernel/install.conf /usr/lib/kernel/install.conf.d/00-bootc-kernel-layout.conf > /dev/null
    # By default dnf keeps multiple versions of the kernel, with this
    # configuration we tell dnf to treat the kernel as everything else.
    # https://dnf.readthedocs.io/en/latest/conf_ref.html#main-options
    # Let's add the config to a distribution configuration file if dnf5
    # is used, we append to /etc/dnf/dnf.conf if not.
    # Also set protect_running_kernel=False, dnf/yum pre-dates Containers and
    # uses uname to protect the running kernel even on Container builds.
    if [ -d "/usr/share/dnf5/libdnf.conf.d/" ]; then
      echo -e "[main]\ninstallonlypkgs=''" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-installonlypkgs.conf
      echo -e "[main]\nprotect_running_kernel=False" >> /usr/share/dnf5/libdnf.conf.d/20-ostree-protect_running_kernel.conf
    else
      echo "installonlypkgs=''" >> /etc/dnf/dnf.conf
      echo "protect_running_kernel=False" >> /etc/dnf/dnf.conf
    fi

  - |
    #!/bin/bash
    set -xeuo pipefail
    # Override some of the default presets.
    cat <<EOF > usr/lib/systemd/system-preset/85-bootc.preset
    # Disable dnf-makecache.timer on bootc/image mode systems
    # https://github.com/coreos/fedora-coreos-tracker/issues/1896#issuecomment-2848251507
    disable dnf-makecache.timer
    EOF
  # Enable bootloader-update.service on F43+.
  # https://github.com/coreos/fedora-coreos-tracker/issues/1468#issuecomment-2996654547
  # https://fedoraproject.org/wiki/Changes/AutomaticBootloaderUpdatesBootc
  - |
    #!/bin/bash
    set -xeuo pipefail
    echo "enable bootloader-update.service" >> /usr/lib/systemd/system-preset/85-bootc.preset
  # Undo RPM scripts enabling units; we want the presets to be canonical
  # https://github.com/projectatomic/rpm-ostree/issues/1803
  - |
    #!/bin/bash
    set -xeuo pipefail
    rm -rf /etc/systemd/system/*
    systemctl preset-all
    rm -rf /etc/systemd/user/*
    systemctl --user --global preset-all




packages:
 - kernel
 # systemd. Also name systemd-pam because it was dropped to a recommends
 # but we still want it for handling user logins/sessions.
 - systemd systemd-pam
 # bootc itself.
 - bootc
 # Required by bootc install, sgdisk has been replaced by Rust crate
 # in bootc https://github.com/containers/bootc/pull/775
 - xfsprogs e2fsprogs dosfstools
 - bootupd

packages-x86_64:
 - grub2 grub2-efi-x64 efibootmgr shim
 - microcode_ctl

exclude-packages:
 - kernel-debug-core

 # The grub bits are mainly designed for desktops, and IMO haven't seen
  # enough testing in concert with ostree. At some point we'll flesh out
  # the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47

remove-from-packages:
- [grub2-tools, /etc/grub.d/08_fallback_counting,
                  /etc/grub.d/10_reset_boot_success,
                  /etc/grub.d/12_menu_auto_hide,
                  /usr/lib/systemd/.*]